Meta Data Is Not Stripped From images in polonel/trudesk

Valid

Reported on

May 23rd 2022


  1. Hey team, while uploading site/page logo as an administrator, The meta data of the image like geolocation, device information, version, nameetc is not getting stripped, as a result the attacker can collect all the meta data information of the image by using tools like exif tool, metadata checker etc which is publicly available.

Steps to reproduce:

  1. Upload site/page logo
  2. copy the image location and save it or check the meta data directly by this site http://exif-viewer.com
  3. The all information on the image(meta data) will be publicly disclosed

Patch recommendation:

  1. Remove the meta data from uploaded images

Impact

  1. This vulnerability impacts and violates the privacy of the one who uploads the image, because the meta data will be publicly accessible by third party attackers via the common predictable endpoint http://127.0.0.1:8118/assets/topLogo.jpg
We are processing your report and will contact the polonel/trudesk team within 24 hours. a month ago
Akshay Ravi
a month ago

Researcher


#Note:

Hey @maintainer, As an normal user can also access the image with no privileges, beacuse the site logo is common for all..here is the POC👇:

I was added the CVSS score as low(3.3), feel free to change it to medium or higher than (3.3) if you wish as per these impacts, thanks

We have contacted a member of the polonel/trudesk team and are waiting to hear back a month ago
Chris Brame modified the Severity from Low (3.3) to Medium (4.6) a month ago
Chris Brame assigned a CVE to this report a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Chris Brame validated this vulnerability a month ago
Akshay Ravi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Chris Brame
a month ago

Maintainer


This has been fixed and will release with version 1.2.3 I will update this report once released.

We have sent a fix follow up to the polonel/trudesk team. We will try again in 7 days. a month ago
Chris Brame confirmed that a fix has been merged on ae904d a month ago
Chris Brame has been awarded the fix bounty
to join this conversation